How to install lets encrypt ssl certificate on nextcloud plugin?

lbartosek

Dabbler
Joined
Dec 12, 2018
Messages
13
Hi ya,

I am sorry for asking silly questions that might be answered on the web somewhere already but I cannot really find the answers I need. I know there must be an easy way of doing it. I've installed Let's Encrypt SSL cert on many VMs/Web Servers using Ubuntu but I cannot figure out, how to install the LE cert on my hyper-v>FreeNAS 11.2>NextCloud v15 plugin setup. I got FreeNAS and NextCloud plugin up and running quite easily and fast. Port forwarding has been set on my router correctly so now it's accessible from the internet with a FQDM. All seems to be working fine, however, when I am trying to install the LE cerbot I get stuck when following these articles anyway.

https://www.freshports.org/security/py-certbot-nginx
or
https://certbot.eff.org/lets-encrypt/freebsd-nginx
(I am using nginx and FreeBSD)

I get actually stuck with the very first two command lines
1. cd /usr/ports/security/py-certbot && make install clean

/usr/ports/security/py-certbot: No such file or directory.

2. pkg install py27-certbot

root@nextcloud:/ # pkg install py27-certbot Updating iocage-plugins repository catalogue... iocage-plugins repository is up to date. All repositories are up to date. pkg: No packages available to install matching 'py27-certbot' have been found in the repositories

I have no idea how to get py27-cerbot to my repositories on the nextcloud jail? I am accessing it via Nextcloud jail shell.

I am again sorry. I am very new to FreeNAS and to FreeBSD too. I'd appreciate any help that will get my owncloud secured as soon as possible, you know.

Thank you
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,455
Option 1: Use my script, which includes the Let's Encrypt cert on its own.

Option 2: Use a different client than certbot, which isn't included in the repositories used by the plugins. I'm a fan of acme.sh.
 

samuel-emrys

Contributor
Joined
Dec 14, 2018
Messages
136
Looks like you've installed nextcloud using the plugin. If you want to install certbot, you'll need to switch from the iocage-plugins repository to the FreeBSD repository. I've provided brief instructions on how to do this in this post. The problem at the moment is that you're querying a list of packages specific to iocage-plugins. Since certbot is not on that specific list, your pkg install command is failing to locate it. If you switch to the larger, FreeBSD list (repository), it will be able to find py27-certbot. Once you've changed repositories, you should be able to run pkg install py27-certbot without issues.

In terms of actually using certbot, I've provided some instructions in my Nextcloud 14/15 Installation Guide. As danb35 mentioned, acme.sh is also a good alternative that circumvents some of the issues in actually using certbot
 

lbartosek

Dabbler
Joined
Dec 12, 2018
Messages
13
Hi and sorry for late reply,

I am going to try both methods soon and will let you know which one is more convenient and easier to use. However, I was also wandering, if installing comodo ssl certificate on my jailed nextcloud server would be as easy as just coping the crt and key files to SSL folder
/mnt/NextCloud-Pool/iocage/jails/nextcloud/root/usr/local/etc/ssl

and configure nginx accordingly

ssl_certificate /etc/ssl/nginx/cloud.example.com.crt;
ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key;

Source: https://docs.nextcloud.com/server/14/admin_manual/installation/nginx.html

I have installed my SSL certificates on Ubuntu servers this way many times and it worked perfectly. I mean Comodo certs. Not sure if this is possible for Lets Encrypt certs to be installed manually like that.

Thank you
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,455
It's possible for the Let's Encrypt cert to be installed any way you like, including manually as you suggest. What isn't readily possible is for them to be obtained that way. Let's Encrypt certs are obtained using an ACME client (though there are web-based clients like zerossl.com if you don't want to use software installed on the server, they're discouraged due to the short cert lifetimes).
 

lbartosek

Dabbler
Joined
Dec 12, 2018
Messages
13
You right. That's something I totally forgot about. I got used to installing LE SSL certs on VestCP the lazy way. So, thanks for remind me that.

However, I am kinda struggling with Comodo SSL cert manual installation too. I realized, I have one free promo Comodo SSL cert available at namecheap.com so, I decided activating it and installing it today. I downloaded it and uploaded it to my FreeNAS but I got stuck setting it up on the Nextcloud plugin running in jail. I have the CA-Bundle, Security Cert, PKCS #7 Certificate and my privet Key files ready but I am really not sure where to exactly upload them, and which and how to configure nginx config file properly to run my NextCloud over https. Is this even the correct place to put these cert files? /mnt/NextCloud-Pool/iocage/jails/nextcloud/root/usr/local/etc/ssl

Maybe I am tired after this long week at work and I should try it next time again but if you could point me to the right direction, I'd really appreciate it. This the first time I am setting up SSL cert on FreeBSD server and NextCloud running in docker with Nginx & PHP-FPM so, I am quite confused.

I thought, it will be as easy as on ubuntu but looks like I am missing something. I'll definitely read more about FreeBSD, Nginx and SSL certs in the near future but if you could help me setting the SSL cert up, it would be awesome.

Articles I tried to follow are below
https://www.namecheap.com/support/k...spx/9419/33/installing-a-certificate-on-nginx
https://docs.nextcloud.com/server/14/admin_manual/installation/nginx.html

Thank you in advance
 

lbartosek

Dabbler
Joined
Dec 12, 2018
Messages
13
Hi,
me again. I've spent several hours trying to install Comodo SSL cert today and yesterday but I am being unsuccessful.

Code:
server {
    listen 80;
    server_name mydomain.com;
    # enforce https
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name mydomain.com;

    ssl_certificate /usr/local/etc/ssl/mydomain.crt;
    ssl_certificate_key /usr/etc/ssl/mydomain.key;


this is the only change I made to nginx nextcloud.conf file that I think should be correct but it looks like I am mistaken. Well, I've tried many other different ways of configuring the nginx conf files, placing my cert and key into different folders and adjusting permissions but still not luck. Am I missing something? I restart nginx server after making changes to conf files and I also restart the jail but I still cannot access my domain over https.

I found many articles about setting up SSl cert for Nextcloud running on ubuntu/nginx but nothing's working. I am pretty sure my issued cert is correctly linked to its private key because I successfully added the CA and cert to the FreeNAS system via GUI. I am pretty sure it's gonna be easy fix for such experienced guys like you. I've been playing with FreeBSD for almost 3 weeks so I am still newbie.

Please, help. I am begging you for help.

Thank you
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,455
Please, help. I am begging you for help.
Best I can tell you is to use my script, which automates the SSL configuration, or use @samuel-emrys' documentation for manual installation (which also covers SSL). If you're determined to make it work with the plugin (why?), you could at least say what's happening--"it doesn't work" isn't very useful.
 

lbartosek

Dabbler
Joined
Dec 12, 2018
Messages
13
@danb35 I'll most probably go for your script cause I've checked Samuel's documentation that looks pretty detailed and educative, by the way. I also found answers to my other questions in his doc, however, it looks very long and time consuming for me to follow it right now. It's something I cannot afford at the moment.

I didn't expect that coming, I mean that securing Nextcloud plugin in jail on FreeNAS will give me such an headache. I am just wondering, if I can use your script and install Comodo signed certificate instead of free Let's encrypt one. If not, it's not big deal as I got it for free for one year. I have also noticed that your script installs Apache2 instead of nginx. I haven't used Apache for ages so I was looking for configuration tutorials in order to configure Nextcloud plugin running on FreeBSD jail, MySQL, nginx & php-fpm only. No luck there :(

I definitely like the idea of creating separated datasets for your script as well as Samuel explains this in his documentation. It's something, I've been trying to achieve with the NextCloud plugin but I was unsuccessful. Now, I know why.

So, I am going to try out your script first despite I have Comodo cert issued for my domain already. I'll try to follow Samuel's Documentation another time, when I have more time to play with this.

I am pretty sure, I would be already up and running secured Nextcloud on ubuntu with nginx&php-fpm but that would not have been such a challenge though .

Thank you
 

lbartosek

Dabbler
Joined
Dec 12, 2018
Messages
13
I forgot to answer your questions...

If you're determined to make it work with the plugin (why?)
I kinda assumed, that plugins are ready to go with all the basic features including SSL but I was mistaken. Lesson learnt. As I mentioned, I got used to installing Let's encrypt SSL certs by a few of clicks in other GUI/control panels like cPanel or VestaCP. I am very new to FreeNAS so I am still discovering its capabilities, you know.

you could at least say what's happening--"it doesn't work" isn't very useful.
Basically, when I turn on SSL in nginx conf file and point to the cert folder where's my cert and key files located, and I setup my domain to be accessible over https in all other config files, I am getting: This site can’t be reached, anyway.
 

samuel-emrys

Contributor
Joined
Dec 14, 2018
Messages
136
Basically, when I turn on SSL in nginx conf file and point to the cert folder where's my cert and key files located, and I setup my domain to be accessible over https in all other config files, I am getting: This site can’t be reached, anyway.
This is a nondescript error; to debug this further you'd need to dig into the nginx logs to work out what's actually failing with SSL.


I have also noticed that your script installs Apache2 instead of nginx. I haven't used Apache for ages so I was looking for configuration tutorials in order to configure Nextcloud plugin running on FreeBSD jail, MySQL, nginx & php-fpm only. No luck there

Have you tried following the Nextcloud nginx configuration documentation? It seems relatively detailed?


So, I am going to try out your script first despite I have Comodo cert issued for my domain already. I'll try to follow Samuel's Documentation another time, when I have more time to play with this.
@danb35's script and my tutorial fill largely the same purpose. There are a number of small configuration changes, but aside from the additional hardening measures I discuss, I'm not sure you'd gain a lot by doing both. I've found going through the set up procedure in my guide takes between 2 and 3 hours, which I bet is less than the time you've already put into troubleshooting this issue :)
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,455
You can use my script with the SELFSIGNED_CERT option to run it without generating a cert from Let’s Encrypt, then replace that cert with your Comodo cert. If you’d rather use nginx, I think @NasKar has a fork of my script using that rather than Apache.
 

lbartosek

Dabbler
Joined
Dec 12, 2018
Messages
13
@danb35 Thanks for pointing me to the right documentation/script. I finally got it running thanks to NasKar's forked script I found within his posted articles on FreeNAS forum. I believe, your scrip would work out for me too but because of, I rather use nginx instead of Apache, I used NasKar's script, and now I am running Nextcloud on the web server I wanted. It's a shame that the plugin isn't capable of pre-installation configurations like your scripts are. I am talking about especially about SSL and the custom datasets. I found your scripts easy to follow and working with SSL certs out of the box. This is brilliant! I still have couple of questions at you or probably I direct them at NasKar from now on as I used his script. I just didn't investigate, why let's encrypt ssl cert wasn't working right after the successful installation but I just copied my issued SSL Comodo cert and changed the nginx config file accordingly, which works like a charm. It took no more then 20minutes to get it all running. Nice. Well done guys!!!

@samuel-emrys
@danb35's script and my tutorial fill largely the same purpose. There are a number of small configuration changes, but aside from the additional hardening measures I discuss, I'm not sure you'd gain a lot by doing both. I've found going through the set up procedure in my guide takes between 2 and 3 hours, which I bet is less than the time you've already put into troubleshooting this issue :)

You right, I was probably just tired and lazy in the night after hard day at work. I'll definitely go for your tutorial as I want to know how it all works in details.

I'm not sure you'd gain a lot by doing both
I didn't mean to use both of your scripts in the same time and on the same production server. I was just planning to go for your documentation and play with it on my VM where I, by the way, started playing with FreeNAS before I built my hardware server.

Have you tried following the Nextcloud nginx configuration documentation? It seems relatively detailed?

Of course, I followed the Nextcloud nginx configuration documentation, however, that's what I couldn't figure out and therefore I've been asking here for help. I am not 100% sure but now I probably know where was my problem while I was configuring nginx with SSL cert while running nextcloud plugin in jail. I'll confirm that later if I'll be playing with FreeNAS in VM.

Thank you all for your insights and support. I really appreciate it.
 
Top